If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Security logs... Is this what I think it is?

Alright, I've never been so interested in watching windows system logs, so I'm not to familiar with what I'm seeing but this looks suspicious. I opened up the event viewer and in the system logs I saw some activity at 3:05 AM; long after I leave work.

Here is what happened in order:
---------------------------------------------------------
At 3:05 AM, Source USER32 under NT AUTHORITY\SYSTEM "The process winlogon.exe has initiated the restart of COMPANY-4295314 for the following reason: No title for this reason could be found"

In the next 2 minutes...

The Network Associates McShield service entered the stopped state.
The Event log service was stopped.
Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Uniprocessor Free.
The Event log service was started.
The Terminal Services service entered the running state.
The Fast User Switching Compatibility service was successfully sent a start control.
The Fast User Switching Compatibility service entered the running state.
The NaiAvFilter1 service was successfully sent a start control.
The Network Location Awareness (NLA) service was successfully sent a start control.
The SSDP Discovery Service service was successfully sent a start control.
The SSDP Discovery Service service entered the running state.
The Application Layer Gateway Service service was successfully sent a start control.
The Application Layer Gateway Service service entered the running state.
The BrSplService service has reported an invalid current state 0.
The BrSplService service entered the stopped state.
The Computer Browser service entered the stopped state.
Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link.
The Telephony service entered the running state.
The Remote Access Connection Manager service was successfully sent a start control.

Finally at 3:07 AM The Remote Access Connection Manager service entered the running state.
There is no more logs after this point.
---------------------------------------------------------

Now, This looks to me like the system was restarted remotly, event logging was turned off and a remote access connection was made. I admit I know little of sytem logs but this is an odd time for this computer to have activity.

If anyone could help me out I'd really apriciate it... Does this look suspicious to you guys?

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

well I didnt set up this system but after checking I saw that the scan is schedualed for 3:00AM but it was cancelled last night durring system shutdown. I dont know why the system would have shut down though...

The default configuration for Windows update service is to download and install updates at about 3 am. If you were running a scan at the time, it would have been interrupted. The last update from MS required a system reboot. Depending on your policies, that is likely what caused the system restart. Check the configuration in Start, Control Panel, Automatic Updates. The settings may be grayed out, depending on network settings, but you should be able to read them.

Your _system_ event log should show several, (but maybe only one), windows update event. If it doesn't I hope you have other logs.....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

"TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts"

and work from there.....

It sounds like something going on isn't right....

What's the OS and SP level you are using... I'm guessing XP SP2.....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Yep, XP SP2... wow, I didnt realize that the service pack limits the connection attempts to 10. Thats hardly any, and I was still at work yesterday when that log was made so I dont think its too suspicious. I dont know, I'm probably being over paranoid.